The present application asserts priority rights based on JP Patent Application 2012-227922 filed in Japan on Oct. 15, 2012, the total contents thereof being incorporated by reference into the present Application.
This invention relates to a communication node, a control apparatus, a communication system, a packet processing method and a program. More particularly, it relates to a communication node, a control apparatus, a communication system, a packet processing method and a program, in which a packet received is processed under control by the control apparatus.
Recently, a technique known as OpenFlow has been proposed in Non-Patent Literatures 1, 2. The OpenFlow comprehends communication as an end-to-end flow and manages path control, recovery from malfunctions, load balancing and optimization from one flow to another. An OpenFlow switch, specified in Non-Patent Literature 2, includes a secure channel over which to communicate with an OpenFlow Controller, and operates in accordance with a flow table an addition to or a rewriting in which is instructed as necessary from the OpenFlow Controller. In the flow table, a set of match conditions (Match Fields) to be collated against a packet header, flow statistics information (Counters) and instructions that define the processing contents (Instructions) is defined from one flow to the next. See ‘4.1 Flow Table’ of Non-Patent Literature 2.
On receipt of a packet, the OpenFlow switch searches from the flow table an entry having the match condition conforming to the header information of the received packet. See ‘4.3 Match Fields’ of Non-Patent Literature 2. If, as a result of the search, the entry matching the received packet is found, the OpenFlow switch updates the flow statistics information (Counter), at the same time as it executes processing contents stated in an instruction field of the matching entry, such as transmission at an identified port, flooding or dropping. If conversely no entry matching the received packet is found, the OpenFlow switch sends an entry setting request, that is, a request for getting the control information to process the received packet (Packet-In message), to the OpenFlow Controller over the secure channel. The OpenFlow switch receives the flow entry, in which processing contents are stated, and updates the flow table. In this manner, the OpenFlow switch forwards the packet, using the entry, stored in the flow table, as the control information.
In Patent Literature 1, there is disclosed an example access control apparatus that performs role-based access control, referred to below as ‘RBAC’. The access control apparatus, disclosed in the Patent Literature, stores a user information table, in which attribute values are set from one user to another, a role information table, in which roles each showing a combination of the attribute values are set, and an access control table, in which role IDs are set as access conditions from one content to another. The access control apparatus of the Patent Literature sets a list of users, whose attribute values correspond to the roles, in a user list information table from one role to another. When an accessing request to any content has been made, an access control section identifies the role of the access condition, based on the access control table, and decides on an access right depending on whether or not an accessing user is included in the user list of the so identified role.
The following analysis is given by the present invention. If the technique of the Non-Patent Literatures 1, 2 is used, and flow entries that take the roles into account are set on OpenFlow switches on a transmission path, not only role-based access control as taught in Patent Literature 1 but also path control may be implemented.
On the other hand, if the technique of the Non-Patent Literatures 1, 2 is used, flow entries are prepared for resources that may be accessed by a user having a certain role. Thus, if the number of the users or resources increases, a number of flow entries equal to the number of combinations of the users and the resources is needed, thus raising a problem that the load imposed on the OpenFlow switches and Controller is increased.
It is an object of the present invention to provide a communication node, a control apparatus, a communication system, a packet processing method and a program in a centralized control network represented by the above mentioned OpenFlow, in which it is possible to contribute to reducing the load otherwise imposed on a control apparatus exercising role-based access control and on a communication node. The control apparatus is equivalent to the above mentioned ‘Controller’ and the communication node to the above mentioned ‘OpenFlow switch’.
In a first aspect, there is provided a communication node, comprising: a first table for matching against first information in a header of a packet received and deciding an attribute or a right of a source of the packet; a second table for matching against second information in the header of the packet received and finding content of processing for the packet from the source of the packet having the attribute or the right as decided using the first table; and a packet processing unit that, on receipt of the packet, decides the attribute or the right of the source of the packet, using the first table, and that thereafter finds, using the second table, the content of processing for the packet from the source of the packet having the attribute or the right as decided using the first table.
In a second aspect, there is provided a control apparatus that sets entries of the first and second tables in the above described communication node.
In a third aspect, there is provided a communication system including the above mentioned communication node and the above mentioned control apparatus.
In a fourth aspect, there is provided a packet processing method for a communication node including a first table for matching against first information in a header of a packet received and deciding an attribute or a right of a source of the packet, and a second table for matching against second information in the header of the packet received and finding content of processing for the packet from the source of the packet having the attribute or the right as decided using the first table. The method comprises: by the communication node, deciding the attribute or the right of the source of the packet using the first table; and finding, using the second table, the content of processing for the packet from the source of the packet having the attribute or the right as decided using the first table; and processing the packet received. The present method is bound up with a particular machine which is a communication node that processes the received packet by referencing the above mentioned first and second tables.
In a fifth aspect, there is provided a program for a computer on board a communication node including a first table for matching against first information in a header of a packet received and deciding an attribute or a right of a source of the packet, and a second table for matching against second information in the header of the packet received and finding content of processing for the packet from the source of the packet having the attribute or the right as decided using the first table. The program causes the computer to execute: deciding the attribute or the right of the source of the packet using the first table; and finding, using the second table, the content of processing for the packet from the source of the packet having the attribute or the right as decided using the first table, and applying the content of processing to the received packet. It is noted that the program can be recorded on a computer-readable, i.e., non-transient, recording medium. That is, the present invention may be implemented as a computer program product.
According to the present invention, it is possible to contribute to reducing the load otherwise imposed on a control apparatus or a communication node in case of exercising role-based access control in a centralized control network.
Initially, a summary of a preferred mode of the present invention will be described with reference to the drawings. It is noted that symbols are entered in the summary merely as examples to assist in understanding and are not intended to limit the present invention to the mode illustrated.
In an exemplary embodiment, the present invention may be implemented by a communication node including a first table 11A, a second table 12A, and a packet processing unit 13A that processes a received packet by referencing the two tables, as shown in
It is noted that, as the first information in the header, the information that is represented by an address of the source of packet transmission and that is used for deciding the attribute or right of the source of packet transmission, for example, the role of the RBAC, may preferably be used. In this case, the ingress port information may be used in combination for collation so that, even if the address of the source of packet transmission is just but the ingress port is an improbable one, the packet in question may be dropped without applying any processing. The second information in the header may, for example, be a destination address of the received packet.
It is seen from above that role-based access control may be managed by no other than the communication node without relying on the control apparatus for decision. Moreover, the number of the entries retained by the communication node may be decreased from the simple value of the number of users multiplied by the number of resources to a value equal to the number of users (number of entries in the first table) plus (the number of entries in the second table=number of roles multiplied by the number of resources). Hence, the load on the control apparatus or on the communication nodes may be reduced.
An exemplary embodiment 1 of the present invention will now be described with reference to the drawings.
The communication node 10 is comprised of a first table 11, a second table 12, a packet processing unit 13 and a memory 14 that includes a role decision result storage area in which to temporarily store a role ID of a transmission source as determined from a received packet. The configuration of each component part of the communication node 10 will be explained in detail subsequently. Although
The control apparatus 20 includes an entry generation section 21 that, triggered by reception of the result of authentication from the authentication server 30 or by update of a policy database, referred to below as ‘policy DB’, generates an entry to be set in the communication node 10. The control apparatus 20 also includes an entry setting section 22 that sets the generated entry in the communication node 10, and the policy DB 23 in which to store communication policies, such as tables showing the relationship between users and roles as well as the relationship between the roles and rights to access etc. The operation of the entry generation section 21 will be set out hereinbelow in detail.
The authentication server 30 takes charge of authenticating a user, who acts on the client 40, responsive to a request from the client 40. The authentication server 30 informs the control apparatus 20 about the result of the user authentication.
The client 40 is an information processing device, such as a personal computer, a mobile terminal or a mobile phone, operated by the user, while the server 50 is any one of servers of variable sorts that render services for the client 40. Although only one client 40 and only one server 50 are shown in
It is noted that various component parts (processing means) of the communication node 10 and the control apparatus 20, shown in
A from the first table 11 to determine the role of the transmission source A. The packet processing unit 13 then searches an entry having the combination of the role decided as described above and the destination from the second table 12, and executes the processing prescribed in the entry (Instructions).
When a new entry is added to the authentication information table shown in an upper part of
The entry setting section 22 of the control apparatus 20 sets the entries, generated as described above, in the first and second tables 11, 12 in the communication node 10.
If it is desired to inhibit accessing from a certain role ID to a certain destination, as in the case of role—0002 of
It is now presupposed that the entry has been set in each of the first and second tables 11, 12. If, in this state, the communication node 10 has received a packet with the transmission source IP address=192.168.100.1 and the destination IP address=192.168.0.1, the communication node decides on the role ID based on the first table 11. The communication node also decides an accessing possible/not possible state, based on the second table, from the combination of the role ID and the destination, and accordingly forwards the packet. Likewise, if the communication node 10 has received a packet with the transmission source IP address=192.168.100.10 and the destination IP address=192.168.100.0/24, the communication node decides on the role ID based on the first table 11. The communication node also checks an accessing possible/not possible state, based on the second table, from the combination of the role ID and the destination, and accordingly decides that the packet is not to be forwarded.
The foregoing shows the basic operation of the subject exemplary embodiment. It is noted that there may be occasions wherein a plurality of roles are assigned to a sole user.
In an example of
When the check as to whether or not one or more of the roles has been assigned to a user has come to a close, the packet processing unit 13 of the communication node 10 searches, from the second table 12, such entry that matches the content of the role decision result storage area 141 of the memory 14 (i.e., the role or roles owned by the user) and the destination IP address of the packet received. If the matching entry is found, the processing content stated in the entry (Action) is executed. If, for example, as a result of the decision by the first table 11, the user of the source of packet transmission has roles A and B, and the result of decision by the second table indicates that access to the destination of interest is allowed with either the role A or the role B, the packet is forwarded. If, as a result of the decision by the first table 11, it is found that the role(s) is not assigned to the user of the transmission source, i.e., the user is not authenticated by the authentication server 30, or if, as a result of the decision by the second table, it is found that the accessing to the destination of interest with the role(s) owned by the user is not allowed, the packed received is dropped. Instead of dropping the packet, an inquiry may be made at the control apparatus 20 as to which processing is to be performed.
The processing of setting the first and second tables 11, 12 by the control apparatus 20 will now be explained.
The control apparatus 20 then selects, from the policy DB 23, one of the roles the setting for which in an entry in the second table has not been made (step S002). Note that, if the processing on the total of the roles has been finished, the control apparatus 20 refrains from doing any subsequent processing, so that its operation ceases.
The control apparatus 20 then reads-in the access control policy information table for the above mentioned selected role (see an upper part of
Then, using the list of the IP addresses, the control apparatus 20 sets the following entry:
The setting of the second table may come to a close by carrying out the above mentioned processing operations for the total of the roles. Note that, although an example entry for the case of allowing the communication is shown above, an entry the Action field of which is for dropping a packet may also be set in order to prohibit communication.
On receipt of the result of user authentication from the authentication server 30, the control apparatus 20 acquires, from the result of the user authentication, an IP address of a client and the role assigned to a user (step S102).
Then, using the client's IP address and the role assigned to the user, the control apparatus 20 sets the following entry:
By setting the first and second tables 11, 12 as necessary, as described above, it becomes possible for the sole communication node to exercise role-based access control. That is, the processing equivalent to the control apparatus 20 performing role-based accessing possible/not possible state check in response to an inquiry from the communication node to set an entry in the communication node for each inquiry may be realized at the communication node. Hence, it becomes unnecessary for the control apparatus to perform the corresponding entry setting operation.
In the above explanation, an entry is set in the first table with the reception of a notification of the result of the user authentication from the authentication server 30 as a clue. On the other hand, if the relationship of correspondence between the terminal's IP address and the role is known at the outset, an entry for deciding the role may be set in the first table with an instruction from a network administrator or a batch as a clue.
In the above explanation, the role is recorded by setting the bit. Alternatively, such a system that records a letter or a numerical figure representing the role may be used. For example, roles A, B are respectively set for the numerical
In the exemplary embodiment 1 of the present invention, the second table is a single table. Alternatively, a plurality of second tables 12-1, 12-2˜12-N, where N denotes the number of the roles, may be provided, each for one role, as shown in
Such a configuration that is premised on the use of the scheme similar to the ‘goto’ instruction of Non-Patent Publication 2 will now be described with reference to the drawings.
The packet processing unit 13 of the communication node 10B then searches, from the second table, i.e., one of the tables 12A to 12Z, thus decided on, such an entry that has a match condition coincident with the destination IP address of the packet received. If, in the entry, thus found out as the result of the search, ‘access allowed (Allow)’ is set, the packet processing unit 13 of the communication node 10B forwards the received packet at an identified port. If, as the result of the search, no pertinent entry is found, or ‘inhibited (Deny)’ is set, the packet processing unit 13 of the communication node 10B drops the received packet.
If no pertinent entry is found in the second table, an inquiry may be made at the control apparatus 20 in place of dropping the received packet. Specifically, an entry for dropping or making an inquiry at the control apparatus may be added at the trailing end of the second table, i.e., with the lowest priority level, without any condition statement. Or, a separate table that is in use when no pertinent entry is found may be prepared and a ‘goto’ instruction may be provided, with the lowest priority level, at the trailing end of the second table so as to cause a jump to the separate table.
The processing of setting the first table 11B and the second tables 12A to 12Z in the subject exemplary embodiment will now be explained.
The control apparatus 20B then reads-in the access control policy information table for the selected role (see an upper part of
The control apparatus 20B then prepares a second table for the selected role in the communication node 10B (step S203).
The control apparatus 20B then sets the following entry:
Setting of Z-number second tables comes to a close by doing the above mentioned processing for the total of Z-number roles. It is noted that, although an example entry to allow communication is shown above, it is possible to manage control to inhibit communication by setting an entry in which an Action is for dropping a packet.
On receipt of the results of the user authentication from the authentication server 30, the control apparatus 20B acquires, from the results of the user authentication, the client's IP address and the role allocated to the user (step S102). So far, the operation of the control apparatus is similar to that of the control apparatus 20 of the exemplary embodiment 1 shown in
The control apparatus 20B then searches the second table for the role specified in the step S102 (step S303).
The control apparatus 20B then sets the following entry:
By readying a plurality of the second tables, as described above, the second tables may be managed with enhanced ease such as when a change has been made in the role rights. Moreover, it is unnecessary to reference the total of the entries of the second table 12 and it is only necessary to reference the second table(s) related with the role(s) decided by the first table 11, thus assuring high-speed entry search processing in the communication node 10B.
In the foregoing, the entry is set in the first table using the notification of the results of the user authentication from the authentication server 30 as a clue. However, if the relationship of correspondence between the terminal's IP address and the role is known at the outset, an entry for instructing a jump to the second table referenced may be set in the first table from one role to another, using an instruction by a network administrator or a batch as a clue.
It should be noted that, while preferred exemplary embodiments of the present invention are described above, the present invention is not to be restricted to these particular exemplary embodiments, such that further changes, substitutions or adjustments may be made within the range not departing from the basic technical concept of the invention. For example, the configurations of the networks or components shown in the drawings are merely illustrations to assist in understanding the invention, and the present invention is not to be restricted to the configurations shown in the drawings.
Moreover, in the above described exemplary embodiments, the role is decided using an IP address and the accessing possible/not possible state of the destination is decided from the role. However, the information other than the IP address, for example, a MAC (Media Access Control) address, may, of course, be used and, in addition, the input port information may be set in the match conditions.
In the above described exemplary embodiment 1, the role decision result storage area is provided in the memory 14 of the communication node 10 for retention of the results of the role decision. Alternatively, modified configurations may also be used. For example, according to the OpenFlow specification of Non-Patent Publication 2, a header rewrite action may be set as an instruction. Thus, such a configuration may be used in which the role information is written in a preset area of the packet header based on the result of decision by the first table. The information on attributes or rights may be used in place of the role information. In this case, it is only sufficient to set the role information written in the preset area as the match condition for the second table. The information on attributes or rights may again be used in place of the role information.
Finally, certain preferred modes of the present invention will be shown by way of giving a summary.
The disclosures of the above mentioned Patent Literatures as well as non-Patent Literatures are to be incorporated herein by reference. The exemplary embodiments or Examples may be modified or adjusted within the concept of the total disclosures of the present invention, inclusive of claims, based on the fundamental technical concept of the invention. A wide variety of combinations or selections of elements herein disclosed (elements of claims, Examples and drawings) may be made within the context of the claims of the present invention. That is, the present invention may include a wide variety of changes or corrections that may occur to those skilled in the art in accordance with the total disclosures inclusive of the claims and the drawings as well as the technical concept of the invention. In particular, it should be understood that any optional numerical figures or sub-ranges contained in the ranges of numerical values set out herein ought to be construed to be specifically stated even in the absence of explicit statements.
Number | Date | Country | Kind |
---|---|---|---|
2012-227922 | Oct 2012 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2013/077752 | 10/11/2013 | WO | 00 |